The following security advisory is sent to the securiteam mailing list, and can
be found at the SecuriTeam web site: http://www.securiteam.com
- - promotion
The SecuriTeam alerts list - Free, Accurate, Independent.
Get your security news from a reliable source.
http://www.securiteam.com/mailinglist.html
- - - - - - - - -
NCP VPN/PKI Client Multiple Vulnerabilities
------------------------------------------------------------------------
SUMMARY
<http://www.ncp.de> NCP's Secure Communications "provides a comprehensive
portfolio of products for implementing total solutions for high-security
remote access. These software-based products comply fully with all current
major technology standards for communication and encryption, as defined by
the IETF (Internet Engineering Task Force) and ITU (International
Telecommunication Union)". Several security vulnerabilities have been
found in the NCP VPN/PKI Client.
DETAILS
Vulnerable Systems:
* NCP VPN/PKI client version 8.11 Build 146
1.: - Unnamed
If you create a rule using the Client Firewall you're able to bind an
application to this rule. Unfortunately no hash value (for instance) will
be created for this application. So you can easily pick another
application, put it into the directory, rename it and use it with this
rule.
Vendor response:
NCP is aware about this problem. A later version of the client will come
with a hash-function.
2.: - Buffer Overflow with Privilege Escalation (some sort of), DoS
Some of the installed applications didn't like it to start with a large
amount of arguments.
Example 1:
In my current test-configuration I'm not able to go to or configure
'IPSec' in the menu 'configuration'. If I run 'ncpmon.exe' with >=261
characters I get a slightly different GUI. And it's not only the GUI which
is different. Now I'm able to go to the 'IPSec' menu and configure the
settings.
Example 2:
Run 'ncprwsnt.exe' with enough arguments and your cpu utilization will
raise 100%.
Vendor response:
NCP is currently checking this problem(s).
3: - DoS, remote
Ramon picked the first DoS code he found, tried it and was surprised that
this old piece of code is still working. Using the
<http://cert.uni-stuttgart.de/archive/bugtraq/2003/09/msg00020.html>
'ZoneAlarm remote Denial Of Service exploit' it's possible to raise the
memory usage and the cpu utilization. Let it run for 1-2 minutes and you
will notify the decreasing speed of your machine. And at least it's
possible to make it impossible for you to continue working with the PC.
Vendor response:
NCP is currently checking this problem(s).
4: - Local Privilege Escalation
One feature of the client is that you can execute a script called
'connect.bat' after you established a connection with your vpn-gateway.
The script isn't executed by the client, but by the service 'ncprwsnt'
which runs with the local system account. So add a little script in the
program directory of the NCP VPN/PKI Client with a nice 'net user /add'
and 'net localgroup /add' mix to escalate your privileges.
Vendor response:
This 'Feature' is known to NCP. A couple of customers are using exactly
this functionality. A new release of the NCP VPN/PKI Client, which will
arrive in the next few weeks, will fix this 'problem'.
Disclosure Timeline:
2006-02-13 - Found the Bugs
2006-02-15 - Mailed the vendor
2006-02-16 - The vendor replied
ADDITIONAL INFORMATION
The information has been provided by <mailto:ml2@portsonline.net> Ramon
'ports' Kukla.
========================================
This bulletin is sent to members of the SecuriTeam mailing list.
To unsubscribe from the list, send mail with an empty subject line and body to:
list-unsubscribe@securiteam.com
In order to subscribe to the mailing list, simply forward this email to:
list-subscribe@securiteam.com
====================
====================
DISCLAIMER:
The information in this bulletin is provided "AS IS" without warranty of any
kind.
In no event shall we be liable for any damages whatsoever including direct,
indirect, incidental, consequential, loss of business profits or special
damages.
